'\" t
.\"     Title: shadow
.\"    Author: Julianne Frances Haugh
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\"      Date: 09/18/2016
.\"    Manual: File Formats and Conversions
.\"    Source: shadow-utils 4.4
.\"  Language: English
.\"
.TH "SHADOW" "5" "09/18/2016" "shadow\-utils 4\&.4" "File Formats and Conversions"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
shadow \- shadowed password file
.SH "DESCRIPTION"
.PP
shadow
is a file which contains the password information for the system\*(Aqs accounts and optional aging information\&.
.PP
This file must not be readable by regular users if password security is to be maintained\&.
.PP
Each line of this file contains 9 fields, separated by colons (\(lq:\(rq), in the following order:
.PP
\fBlogin name\fR
.RS 4
It must be a valid account name, which exist on the system\&.
.RE
.PP
\fBencrypted password\fR
.RS 4
Refer to
\fBcrypt\fR(3)
for details on how this string is interpreted\&.
.sp
If the password field contains some string that is not a valid result of
\fBcrypt\fR(3), for instance ! or *, the user will not be able to use a unix password to log in (but the user may log in the system by other means)\&.
.sp
This field may be empty, in which case no passwords are required to authenticate as the specified login name\&. However, some applications which read the
/etc/shadow
file may decide not to permit any access at all if the password field is empty\&.
.sp
A password field which starts with an exclamation mark means that the password is locked\&. The remaining characters on the line represent the password field before the password was locked\&.
.RE
.PP
\fBdate of last password change\fR
.RS 4
The date of the last password change, expressed as the number of days since Jan 1, 1970\&.
.sp
The value 0 has a special meaning, which is that the user should change her password the next time she will log in the system\&.
.sp
An empty field means that password aging features are disabled\&.
.RE
.PP
\fBminimum password age\fR
.RS 4
The minimum password age is the number of days the user will have to wait before she will be allowed to change her password again\&.
.sp
An empty field and value 0 mean that there are no minimum password age\&.
.RE
.PP
\fBmaximum password age\fR
.RS 4
The maximum password age is the number of days after which the user will have to change her password\&.
.sp
After this number of days is elapsed, the password may still be valid\&. The user should be asked to change her password the next time she will log in\&.
.sp
An empty field means that there are no maximum password age, no password warning period, and no password inactivity period (see below)\&.
.sp
If the maximum password age is lower than the minimum password age, the user cannot change her password\&.
.RE
.PP
\fBpassword warning period\fR
.RS 4
The number of days before a password is going to expire (see the maximum password age above) during which the user should be warned\&.
.sp
An empty field and value 0 mean that there are no password warning period\&.
.RE
.PP
\fBpassword inactivity period\fR
.RS 4
The number of days after a password has expired (see the maximum password age above) during which the password should still be accepted (and the user should update her password during the next login)\&.
.sp
After expiration of the password and this expiration period is elapsed, no login is possible using the current user\*(Aqs password\&. The user should contact her administrator\&.
.sp
An empty field means that there are no enforcement of an inactivity period\&.
.RE
.PP
\fBaccount expiration date\fR
.RS 4
The date of expiration of the account, expressed as the number of days since Jan 1, 1970\&.
.sp
Note that an account expiration differs from a password expiration\&. In case of an account expiration, the user shall not be allowed to login\&. In case of a password expiration, the user is not allowed to login using her password\&.
.sp
An empty field means that the account will never expire\&.
.sp
The value 0 should not be used as it is interpreted as either an account with no expiration, or as an expiration on Jan 1, 1970\&.
.RE
.PP
\fBreserved field\fR
.RS 4
This field is reserved for future use\&.
.RE
.SH "FILES"
.PP
/etc/passwd
.RS 4
User account information\&.
.RE
.PP
/etc/shadow
.RS 4
Secure user account information\&.
.RE
.PP
/etc/shadow\-
.RS 4
Backup file for /etc/shadow\&.
.sp
Note that this file is used by the tools of the shadow toolsuite, but not by all user and password management tools\&.
.RE
.SH "SEE ALSO"
.PP
\fBchage\fR(1),
\fBlogin\fR(1),
\fBpasswd\fR(1),
\fBpasswd\fR(5),
\fBpwck\fR(8),
\fBpwconv\fR(8),
\fBpwunconv\fR(8),
\fBsu\fR(1),
\fBsulogin\fR(8)\&.
